Lookout - Critical Audit and Policy Changes v2

Back


Id	6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d
Rulename	Lookout - Critical Audit and Policy Changes (v2)
Description	Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance.
Severity	Medium
Tactics	DefenseEvasion Persistence PrivilegeEscalation Impact
Techniques	T1629 T1626
Required data connectors	LookoutAPI
Kind	Scheduled
Query frequency	15m
Query period	1h
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutAuditEventV2.yaml
Version	2.0.3
Arm template	6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d.json

KQL

LookoutEvents
| where EventType == "AUDIT"
| where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
| extend 
    ChangeImpact = case(
        AuditType == "POLICY_CHANGE", "High",
        AuditType == "SECURITY_SETTING_CHANGE", "High",
        AuditType == "USER_MANAGEMENT", "Medium",
        AuditType == "CONFIGURATION_CHANGE", "Medium",
        "Low"
    ),
    RiskLevel = case(
        ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
        ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
        ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
        ActorType == "UNKNOWN", "Suspicious Change",
        "Standard Change"
    )
| extend SecurityImplications = case(
    AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
    AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
    AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
    AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
    AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
    "Configuration Update"
)
| extend ComplianceRisk = case(
    SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
    SecurityImplications == "Device Wipe Disabled", "High",
    SecurityImplications == "Privilege Changes", "High",
    RiskLevel == "Unauthorized Change", "High",
    RiskLevel == "Suspicious Change", "Medium",
    "Low"
)
| extend ChangeDetails = case(
    isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
    isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
    "General audit event"
)
| project
    TimeGenerated,
    EventId,
    AuditType,
    ChangeImpact,
    RiskLevel,
    SecurityImplications,
    ComplianceRisk,
    ChangeDetails,
    AuditAttributeChanges,
    ActorType,
    ActorGuid,
    TargetType,
    TargetGuid,
    TargetEmailAddress,
    ChangeType,
    EnterpriseGuid

YAML

relevantTechniques:
- T1629
- T1626
version: 2.0.3
severity: Medium
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    reopenClosedIncident: false
    groupByCustomDetails:
    - SecurityImpact
    - ComplianceRisk
    - ActorType
    enabled: true
    groupByAlertDetails:
    - AuditType
    - ActorGuid
    matchingMethod: Selected
    groupByEntities:
    - Account
    lookbackDuration: P1D
name: Lookout - Critical Audit and Policy Changes (v2)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Lookout/Analytic Rules/LookoutAuditEventV2.yaml
customDetails:
  TargetType: TargetType
  ComplianceRisk: ComplianceRisk
  ChangeImpact: ChangeImpact
  ChangeType: ChangeType
  ActorType: ActorType
  SecurityImpact: SecurityImplications
  AuditType: AuditType
  RiskLevel: RiskLevel
description: |
    'Monitors critical audit events and policy changes from Lookout Mobile Risk API v2. Detects unauthorized configuration changes, policy modifications, security setting adjustments, and administrative actions that could impact mobile security posture. Provides comprehensive audit trail for compliance and security governance.'
queryFrequency: 15m
suppressionDuration: PT30M
tactics:
- DefenseEvasion
- Persistence
- PrivilegeEscalation
- Impact
triggerThreshold: 0
queryPeriod: 1h
suppressionEnabled: false
id: 6b2d4e8a-5f7c-4b9e-8a1d-3c5e7a9b2f4d
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: ActorGuid
  - identifier: Name
    columnName: TargetEmailAddress
  entityType: Account
- fieldMappings:
  - identifier: HostName
    columnName: TargetGuid
  entityType: Host
requiredDataConnectors:
- connectorId: LookoutAPI
  dataTypes:
  - LookoutEvents
triggerOperator: gt
alertDetailsOverride:
  alertSeverityColumnName: ComplianceRisk
  alertTacticsColumnName: SecurityImplications
  alertDisplayNameFormat: 'Critical Audit Event: {{SecurityImplications}} by {{ActorType}}'
  alertDescriptionFormat: '{{AuditType}} by {{ActorType}} with {{ComplianceRisk}} risk'
status: Available
query: |
  LookoutEvents
  | where EventType == "AUDIT"
  | where AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE", "USER_MANAGEMENT", "CONFIGURATION_CHANGE")
  | extend 
      ChangeImpact = case(
          AuditType == "POLICY_CHANGE", "High",
          AuditType == "SECURITY_SETTING_CHANGE", "High",
          AuditType == "USER_MANAGEMENT", "Medium",
          AuditType == "CONFIGURATION_CHANGE", "Medium",
          "Low"
      ),
      RiskLevel = case(
          ActorType == "SYSTEM" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Automated Change",
          ActorType == "ADMIN_USER" and AuditType == "POLICY_CHANGE", "Administrative Change",
          ActorType == "USER" and AuditType in ("POLICY_CHANGE", "SECURITY_SETTING_CHANGE"), "Unauthorized Change",
          ActorType == "UNKNOWN", "Suspicious Change",
          "Standard Change"
      )
  | extend SecurityImplications = case(
      AuditAttributeChanges has "threat_response_level" and AuditAttributeChanges has "LOW", "Threat Response Weakened",
      AuditAttributeChanges has "auto_quarantine_enabled" and AuditAttributeChanges has "false", "Auto-Quarantine Disabled",
      AuditAttributeChanges has "compliance_enforcement" and AuditAttributeChanges has "false", "Compliance Enforcement Disabled",
      AuditAttributeChanges has "device_wipe_enabled" and AuditAttributeChanges has "false", "Device Wipe Disabled",
      AuditAttributeChanges has "admin" or AuditAttributeChanges has "privilege", "Privilege Changes",
      "Configuration Update"
  )
  | extend ComplianceRisk = case(
      SecurityImplications in ("Threat Response Weakened", "Auto-Quarantine Disabled", "Compliance Enforcement Disabled"), "Critical",
      SecurityImplications == "Device Wipe Disabled", "High",
      SecurityImplications == "Privilege Changes", "High",
      RiskLevel == "Unauthorized Change", "High",
      RiskLevel == "Suspicious Change", "Medium",
      "Low"
  )
  | extend ChangeDetails = case(
      isnotempty(AuditAttributeChanges), strcat("Attribute changes: ", tostring(AuditAttributeChanges)),
      isnotempty(TargetGuid), strcat("Target: ", TargetType, " (", TargetGuid, ")"),
      "General audit event"
  )
  | project
      TimeGenerated,
      EventId,
      AuditType,
      ChangeImpact,
      RiskLevel,
      SecurityImplications,
      ComplianceRisk,
      ChangeDetails,
      AuditAttributeChanges,
      ActorType,
      ActorGuid,
      TargetType,
      TargetGuid,
      TargetEmailAddress,
      ChangeType,
      EnterpriseGuid  
kind: Scheduled

ARM